2.4 Understanding TLS Encryption

Understanding Transport Layer Security (TLS) encryption is particularly important if you reinstall the server and have an old server certificate in either your agent or client user profile. It's kind of loke “ssh.” If you have an old certificate, you need to either manually replace it or delete it and allow the client or agent to download the new one from the server using one of the following procedures:

For the Agent:
The TLS certificate is in <agentdir>/tls/server.pem. Deleting this certificate will cause the agent, by default, to log a minor warning message and download the new one the next time it tries to connect to the server. This is technically not secure, since the server could be an impersonator. If security is required for this small window of time, then the real server’s <serverdir>/<instancedir>/tls/cert.pem can be copied to the above server.pem file.

For the Client:
The easiest way to update the certificate from the command line tools is to simply answer "yes" both times when prompted about the out-of date certificate. This is, again, not 100% secure, but is suitable for most situations. For absolute security, hand copy the server’s cert.pem (see above) to ~/.novell/zos/client/tls/<serverIPAddr:Port>.pem.

For Java SDK clients:
Follow the manual copy technique above to replace the certificate. If the local network is fairly trustworty, you can also delete the above ~/.novell/.../*.pem files, which will cause the client to auto-download the new certificate on a once-only basis.